UMA Stream Authorization Protocol (USAP)

Living Document,

Previous Versions:
Issue Tracking:
GitHub
Editor:
(Ghent University - imec)

CC0 To the extent possible under law, the editors have waived all copyright and related or neighboring rights to this work. In addition, as of 20 October 2025, the editors have made this specification available under the Open Web Foundation Agreement Version 1.0, which is available at https://www.openwebfoundation.org/the-agreements/the-owf-1-0-agreements-granted-claims/owfa-1-0. Parts of this work may be from another specification document. If so, those parts are instead covered by the license of that specification document.

Abstract

This is a specification for adding authorization on services with uma. This spec defines an authorization abstraction layer over streams and non-http based protocols.

1. Introduction

Modern distributed systems increasingly rely on continuous or session-based service interactions—spanning data streams, message brokers, IoT telemetry, or custom transport protocols. Traditional authorization frameworks like OAuth 2.0 and UMA 2.0 primarily target discrete, HTTP-based request/response exchanges. The UMA Stream Authorization Protocol (USAP) extends UMA with a simple mechanism for maintaining continuous access authorization to non-HTTP services, including streaming resources, while preserving UMA’s policy-driven and decentralized properties. Throughout this document, “stream” is used as a shorthand for these long-lived service interactions.

This document defines:

2. Terminology

This specification reuses terms from [oauth20], [uma-fed], and [uma-grant].

Additional terms:

3. Architecture Overview

+---------+   Obtain RPT (3)   +----------------+  introspect (6)  +----------------------+
| Client  |===================>| Authorization  |<================>| Resource Server (RS) |
|         |                    |   Server (AS)  |                  |                      |
|         |                    +----------------+                  |                      |
|         |          Obtain Service Token (4/6)                    |                      |
|         |<======================================================>|Service Token Endpoint|
+---------+                                                        +----------------------+
      ^                                                                       ^
      |                  Service / Stream Channel (5)                         |
      +-----------------------------------------------------------------------+

  1. The client discovers a protected stream or service endpoint.

  2. If no valid token is presented, the RS issues a UMA permission ticket.

  3. The client obtains or refreshes an RPT from the AS.

  4. The client exchanges the RPT (and any Session ID) for a Service Token at the RS’s /service/tokens endpoint.

  5. The Service Token is used on the continuous service or stream channel.

  6. The RS enforces continuous authorization through token expiry, introspection, and revocation.

4. Service Token Endpoint Definition

POST /service/tokens

Description: Exchange a valid UMA Requesting Party Token (RPT) for a short-lived stream token authorizing access to a specific stream resource.

Request

POST /service/tokens HTTP/1.1
Host: rs.example.org
Authorization: Bearer <RPT>
Content-Type: application/json
...

{
  "resource_url": "https://rs.example.org/service_1",
  "resource_scopes": ["urn:example:css:modes:continuous:read"]
}

Response

HTTP/1.1 200 OK
Content-Type: application/json

{
  "service_token": "eyJhbGciOi...",
  "expires_in": 60,
  "session_id": "a91e45a2-..."
}

The client uses service_token as a bearer or proof-of-possession credential when initiating the stream. To maintain continuous access, the client MUST refresh the service token before it expires, by getting a new RPT from the AS. This can be done either by getting a ticket from the RS again, sending the required permissions directly to the AS, or by using refresh tokens at the AS. This RPT can then be used to extend the session of the stream redeeming it at the Service Token Endpoint.

Request

POST /service/tokens HTTP/1.1
Host: rs.example.org
Authorization: Bearer <RPT>
Content-Type: application/json
...

{
  "resource_url": "https://rs.example.org/service_1",
  "resource_scopes": ["urn:example:css:modes:continuous:read"],
  "session_id": "a91e45a2-..."
}

Response

HTTP/1.1 200 OK
Content-Type: application/json

{
  "expires_in": 60,
  "session_id": "a91e45a2-..."
}

5. Discovery

The RS SHOULD make the Service Token Endpoint discoverable via Link headers (if the Service Resource is HTTP-based) or .well-known URIs. Request:

GET /service_1 HTTP/1.1
Host: rs.example.org

Response:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: UMA as_uri="https://as.example.org", ticket="eyJhbGciOi..."
Link: <https://rs.example.org/service/tokens>; rel="service_token_endpoint"

GET /.well-known/uma2-configuration HTTP/1.1
Host: rs.example.org
...

Response:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "service_token_endpoint": "https://rs.example.org/service/tokens"
}

6. Token Validation and Lifetimes

The RS MUST introspect the RPT with the AS to verify its validity before issuing a stream token. The RS MUST embed an exp claim and a unique jti in each stream token. The RS MUST terminate the stream when:

7. Applicability to Media and Data Streams

USAP is agnostic to transport. The same control interface can authorize continuous access to:

8. Security Considerations

All communications MUST occur over TLS. Tokens SHOULD be proof-of-possession (mTLS or DPoP) bound. Service tokens MUST be short-lived (shorter than the RPT token) and audience-restricted to the RS.

9. Future Work

Potential extensions include: Push-based token revocation notifications from the AS to the RS.

10. References

[oauth20], [uma-fed], [uma-grant]

Conformance

Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology. The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification.

All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. [RFC2119]

Examples in this specification are introduced with the words “for example” or are set apart from the normative text with class="example", like this:

This is an example of an informative example.

Informative notes begin with the word “Note” and are set apart from the normative text with class="note", like this:

Note, this is an informative note.

References

Normative References

[OAUTH20]
D. Hardt, Ed.. The OAuth 2.0 Authorization Framework. October 2012. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6749
[RFC2119]
S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://datatracker.ietf.org/doc/html/rfc2119
[UMA-FED]
Maciej Machulak; Justin Richer; Eve Maler, Ed.. Federated Authorization for User-Managed Access (UMA) 2.0. 7 January 2018. Recommendation. URL: https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html
[UMA-GRANT]
Maciej Machulak; Justin Richer; Eve Maler, Ed.. User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization. 7 January 2018. Recommendation. URL: https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html